Table of Contents
Release Notes for Cisco ASDM, Version 7.1(x)
ASDM Client Operating System and Browser Requirements
Java and Browser Compatibility
Installing an Identity Certificate for ASDM
Maximum Configuration Size in ASDM
New Features in Version 7.1(7)
New Features in Version 7.1(6)
New Features in Version 7.1(5.100)
New Features in Version 7.1(5)
New Features in Version 7.1(4)
New Features in Version 7.1(3)
New Features in Version 7.1(2.102)
New Features in Version 7.1(2)
New Features in Version 7.1(1)
Open Caveats in 7.1(5) and 7.1(5.100)
Resolved Caveats in 7.1(5.100)
Resolved Caveats in 7.1(2.102)
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco ASDM, Version 7.1(x)
This document contains release information for Cisco ASDM Version 7.1(1) through 7.1(7) for the Cisco ASA series. This document includes the following sections:
Important Notes
- ASDM login issue in 9.1(3) and later—You can no longer log into ASDM with no username and the enable password. You must configure ASDM AAA authentication (Configuration > Device Management > Users/AAA > AAA Access > Authentication and associated username configuration) and/or ASDM certificate authentication (Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH). Before you upgrade to 9.1(3), be sure to configure one of these authentication methods. (CSCuj50862)
- ASA 9.1(3) features for the ASA CX require ASA CX Version 9.2(1).
- Upgrading to 9.1(2.8) or 9.1(3) or later—See the “Upgrading the Software” section.
System Requirements
- ASDM Client Operating System and Browser Requirements
- Java and Browser Compatibility
- Installing an Identity Certificate for ASDM
- ASA and ASDM Compatibility
- VPN Compatibility
- Maximum Configuration Size in ASDM
ASDM Client Operating System and Browser Requirements
Table 1 lists the supported and recommended client operating systems and Java for ASDM.
Microsoft Windows (English and Japanese):
- 81
- 7
- Vista
- 2008 Server
- XP
Java and Browser Compatibility
Table 2 lists compatibility caveats for Java, ASDM, and browser compatibility.
To continue using the Launcher, do one of the following:
- Install a trusted certificate on the ASA from a known CA.
- Install a self-signed certificate and register it with Java. See the ASDM certificate procedure in this document.
- Downgrade Java to 7 update 45 or earlier.
- Alternatively use Java Web Start.
To use Java Web Start, do one of the following:
- Upgrade ASDM to Version 7.1(5.100) or later. This ASDM version includes the Permissions attribute in the JAR manifest, which is required as of Java 7 Update 51.
- To use ASDM 7.1(5) or earlier, add a security exception in the Java Control Panel for each ASA you want to manage with ASDM. See the “Workaround” section at:
http://java.com/en/download/help/java_blocked.xml
If you already upgraded Java, and can no longer launch ASDM in order to upgrade it to Version 7.1(5.100) or later, then you can either use the CLI to upgrade ASDM, or you can use the above security exception workaround to launch the older ASDM, after which you can upgrade to a newer version.
ASDM shows a yellow warning about the missing Permissions attribute
Java 7 update 45 shows a warning when an application does not have the Permissions attribute in the JAR manifest. It is safe to ignore this warning. To prevent this warning from appearing, upgrade to ASDM 7.1(5.100) or later; this ASDM version includes the Permissions attribute, which will be required as of Java 7 Update 51.
Note Due to a bug in Java, even if you upgrade to ASDM 7.1(5.100) or later, if you also do not have a trusted certificate installed on the ASA, you continue to see the yellow warning about the missing Permissions attribute. To prevent the warning from appearing, install a trusted certificate (from a known CA); or generate a self-signed certificate on the ASA by choosing Configuration > Device Management > Certificates > Identity Certificates. Launch ASDM, and when the certificate warning is shown, check the Always trust connections to websites checkbox.
ASDM requires an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you cannot launch ASDM. You must uninstall Java 7, and install Java 6 ( http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html). Note that a workaround is required for weak encryption and Java 6 (see below, in this table).
You may see the following error message when opening the ASDM Launcher:
In this case, Java 7 is the currently-preferred Java version. Either upgrade ASDM to 7.1(4) or later, or you need to set Java 6 as the preferred Java version: Open the Java Preferences application (under Applications > Utilities), select the preferred Java version, and drag it up to be the first line in the table.
Due to a Java bug, ASDM does not support usernames longer than 50 characters when using Java 6. Longer usernames work correctly for Java 7.
Requires strong encryption license (3DES/AES) on ASA or workaround
When you initially connect a browser to the ASA to load the ASDM splash screen, the browser attempts to make an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you may not be able to access the ASDM splash screen; most current browsers do not support weak encryption ciphers. Therefore, without the strong encryption license (3DES/AES), use one of the following workarounds:
- If available, use an already downloaded ASDM launcher or Java Web Start shortcut. The Launcher and Web Start shortcut work with Java 6 and weak encryption, even if the browsers do not.
- For Windows Internet Explorer, you can enable DES as a workaround. See http://support.microsoft.com/kb/929708 for details.
- For Firefox on any operating system, you can enable the security.ssl3.dhe_dss_des_sha setting as a workaround. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.
When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. See https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority.
If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome “SSL false start” feature. We suggest re-enabling one of these algorithms (see the Configuration > Device Management > Advanced > SSL Settings pane); or you can disable SSL false start in Chrome using the --disable-ssl-false-start flag according to http://www.chromium.org/developers/how-tos/run-chromium-with-flags.
For Internet Explorer 9.0 for servers, the “Do not save encrypted pages to disk” option is enabled by default (See Tools > Internet Options > Advanced). This option causes the initial ASDM download to fail. Be sure to disable this option to allow ASDM to download.
On MacOS, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes.
You need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen.
1. To allow ASDM to run, right-click (or Ctrl-Click) the Cisco ASDM-IDM Launcher icon, and choose Open.
2. You see a similar error screen; however, you can open ASDM from this screen. Click Open. The ASDM-IDM Launcher opens.
Installing an Identity Certificate for ASDM
When using Java 7 update 51 and later, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to install a self-signed identity certificate. You can use Java Web Start to launch ASDM until you install a certificate.
See the following document to install a self-signed identity certificate on the ASA for use with ASDM, and to register the certificate with Java.
ASA and ASDM Compatibility
For information about ASA/ASDM requirements and compatibility, see Cisco ASA Compatibility :
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
Note ASDM supports many ASA versions. The ASDM documentation and online help includes all of the latest features supported by the ASA. If you are running an older version of ASA software, the documentation might include features that are not supported in your version. Similarly, if a feature was added into a maintenance release for an older major or minor version, then the ASDM documentation includes the new feature even though that feature might not be available in all later ASA releases. Please refer to the new features tables to determine when features were added. For the minimum supported version of ASDM for each ASA version, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see the Supported VPN Platforms, Cisco ASA 5500 Series :
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html
Maximum Configuration Size in ASDM
- ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues. For example, when you load the configuration, the status dialog shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.
To increase the ASDM heap memory size, download the ASDM-IDM Launcher, and then modify the ASDM-IDM Launcher shortcut by performing the following steps.
a. Right-click the shortcut for the Cisco ASDM-IDM Launcher, and choose Properties.
c. In the Target field, change the argument prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
a. Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents.
b. In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in the Property List Editor. Otherwise, it opens in TextEdit.
c. Under Java > VMOptions, change the string prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
d. If this file is locked, you see an error such as the following:
e. Click Unlock and save the file.
If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose Copy Cisco ASDM-IDM, and paste it to a location where you have write permissions, such as the Desktop. Then change the heap size from this copy.
New Features
Note Versions prior to 7.1(6) are no longer available to download. Please upgrade to a later version.
- New Features in Version 7.1(7)
- New Features in Version 7.1(6)
- New Features in Version 7.1(5.100)
- New Features in Version 7.1(5)
- New Features in Version 7.1(4)
- New Features in Version 7.1(3)
- New Features in Version 7.1(2.102)
- New Features in Version 7.1(2)
- New Features in Version 7.1(1)
New Features in Version 7.1(6)
Table 3 lists the new features for ASA Version 9.1(5)/ASDM Version 7.1(6).
New Features in Version 7.1(5)
Table 4 lists the new features for ASA Version 9.1(4)/ASDM Version 7.1(5).
New Features in Version 7.1(4)
Table 5 lists the new features for ASA Version 9.1(3)/ASDM Version 7.1(4).
ASDM 7.1(3) for ASA 9.0(3)
Table 6 lists the new features for ASA Version 9.0(3)/ASDM Version 7.1(3).
Note Features added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(3) unless they were listed in the 9.0(1) feature table.
ASDM 7.1(3) for ASA 9.1(2)
Table 7 lists the new features for ASA Version 9.1(2)/ASDM Version 7.1(3).
Note Features added in 8.4(6) are not included in 9.1(2) unless they are explicitly listed in this table.
New Features in Version 7.1(2.102)
Table 8 lists the new features for ASA Version 8.4(6)/ASDM Version 7.1(2.102).
New Features in Version 7.1(2)
Table 9 lists the new features for ASA Version 9.0(2)/ASDM Version 7.1(2).
Note Features added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(2) unless they were listed in the 9.0(1) feature table.
New Features in Version 7.1(1)
Table 10 lists the new features for ASA Version 9.1(1)/ASDM Version 7.1(1).
Note Features added in 8.4(4.x), 8.4(5), 8.4(6), and 9.0(2) are not included in 9.1(1) unless they were listed in the 9.0(1) feature table.
Upgrading the Software
See http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/upgrade/upgrade91.html.
Open Caveats
- Open Caveats in 7.1(7)
- Open Caveats in 7.1(6)
- Open Caveats in 7.1(5) and 7.1(5.100)
- Open Caveats in 7.1(4)
- Open Caveats in 7.1(3)
- Open Caveats in 7.1(2.102)
- Open Caveats in 7.1(2)
- Open Caveats in 7.1(1)
Open Caveats in 7.1(7)
Table 11 contains open caveats in ASDM software Version 7.1(7).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Open Caveats in 7.1(6)
Table 12 contains open caveats in ASDM software Version 7.1(6).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Open Caveats in 7.1(5) and 7.1(5.100)
Table 13 contains open caveats in ASDM software Version 7.1(5) and 7.1(5.100).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Open Caveats in 7.1(4)
Table 14 contains open caveats in ASDM software Version 7.1(4).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Open Caveats in 7.1(3)
Table 15 contains open caveats in ASDM software Version 7.1(3).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
Open Caveats in 7.1(2.102)
Table 16 contains open caveats in ASDM software Version 7.1(2.102).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Open Caveats in 7.1(2)
Table 17 contains open caveats in ASDM software Version 7.1(2).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
Open Caveats in 7.1(1)
Table 18 contains open caveats in ASDM software Version 7.1(1).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
Resolved Caveats
- Resolved Caveats in 7.1(7)
- Resolved Caveats in 7.1(6)
- Resolved Caveats in 7.1(5.100)
- Resolved Caveats in 7.1(5)
- Resolved Caveats in 7.1(4)
- Resolved Caveats in 7.1(3)
- Resolved Caveats in 7.1(2.102)
- Resolved Caveats in 7.1(2)
- Resolved Caveats in 7.1(1)
Resolved Caveats in 7.1(6)
Table 19 contains the resolved caveats in ASDM software Version 7.1(6).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
Resolved Caveats in 7.1(5.100)
Table 20 contains the resolved caveats in ASDM software Version 7.1(5.100).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
Resolved Caveats in 7.1(5)
Table 21 contains the resolved caveats in ASDM software Version 7.1(5).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Resolved Caveats in 7.1(4)
Table 22 contains the resolved caveats in ASDM software Version 7.1(4).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Resolved Caveats in 7.1(3)
Table 23 contains the resolved caveats in ASDM software Version 7.1(3).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Resolved Caveats in 7.1(2)
Table 24 contains the resolved caveats in ASDM software Version 7.1(2).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Resolved Caveats in 7.1(1)
Table 25 contains the resolved caveats in ASDM software Version 7.1(1).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation :
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service.
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.